Pluginv0.1.1

ClawScan security

Host Git Workflow: Branch to Merge, Safely · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 2:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally does what it says (bounded host-backed git/PR flow) but there are notable inconsistencies and sensitive behaviors (missing declared requirements, host SSH/keys remediation, arbitrary host command execution) that the user should review before installing.
Guidance: This skill is broadly coherent with its stated purpose (bounded, host-backed git/PR flow) but you should review a few things before installing: 1) The registry metadata doesn't list the runtime binaries and config it actually relies on — verify that git, gh, ssh, and Docker (if you use the container remediation flow) are available on the host and that you will provide pluginConfig.nodeSelector and hostRepoPath. 2) The preflight/remediation steps explicitly inspect and may recommend copying SSH private keys into containers and changing permissions; only allow this if you trust the host/node and understand the security implications of moving private keys. 3) The tool executes commands on a bound host via the platform gateway (node.invoke), so do not enable the plugin on nodes you don't trust. If unsure, review the included source (ops.js, preflight.js, execution.js) or run the plugin in a safe test environment and perform Doctor/Plan flows first (they surface blockers) before allowing confirmed-plan execution. Consider disabling autonomous invocation or restricting the plugin to invited sessions until you are comfortable with its behavior.
Findings: [child_process.execFile] expected: The skill runs git/gh/ssh via execFile in ops.js to implement push/PR/checks; this is expected for a host-backed git workflow. [node.invoke / callGatewayTool] expected: The runtime uses callGatewayTool('node.invoke') to run commands on a bound host node. This is necessary for host-backed execution but means the plugin will request the platform to execute shell commands on the node. [ssh / docker cp commands] expected: Preflight remediation includes inspecting ~/.ssh and docker cp of private keys into containers. This is relevant to repairing SSH-based GitHub access but is sensitive because it involves handling private keys.

Review Dimensions

Purpose & Capability: concernThe plugin implements a host-backed git workflow and legitimately needs access to git, gh, ssh, and a bound host node, and to a plugin config containing nodeSelector and hostRepoPath. However the registry metadata declares no required binaries, no required config paths, and no env vars, which is misleading. The code and SKILL.md both rely on git, gh, ssh, and docker (for container remediation) as part of preflight and remediation — those should be declared in metadata.
Instruction Scope: noteSKILL.md and the runtime code instruct the agent to inspect the bound host repo, run git/gh/ssh commands, and — in Docker remediation flows — inspect /home/node/.ssh and copy private keys into containers (docker cp) and change ownership/permissions. This behavior is in-scope for resolving GitHub SSH and push readiness but is sensitive: it involves reading/manipulating SSH material and running host-side remediation commands. The instructions avoid free-form shell passthrough, but they do perform potentially secret-bearing operations on the bound host.
Install Mechanism: okThere is no install/download mechanism; the package is shipped with distributed source files. No external URLs or archive extraction were used by the skill metadata. This is lower install risk, though users should still audit the included code because it will run host commands.
Credentials: noteNo credentials or environment variables are declared as required in the metadata. The code does read optional env overrides (e.g., OPENCLAW_HOST_GIT_WORKFLOW_GIT_BIN, OPENCLAW_HOST_GIT_WORKFLOW_GH_BIN) and uses pluginConfig (nodeSelector, hostRepoPath). No API keys are requested, which is proportional, but the absence of declared required binaries/config in the registry metadata is misleading.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges in metadata. It registers an optional tool and runs actions only when invoked. However, when bound to a host node the skill can execute arbitrary commands via the platform's node.invoke mechanism — this is expected for a host-backed workflow but increases blast radius if the node or plugin is misused.